Full Report
The U.S. Department of Justice said two Russian nationals were in custody as part of an operation against the Phobos ransomware gang, which has attacked hundreds of organizations and earned millions of dollars in extortion payments.
Analysis Summary
# Threat Actor: Phobos Ransomware Affiliates (Including 8Base and Affiliate 2803)
## Attribution & Identity
* **Identified Individuals:** Roman Berezhnoy (33) and Egor Nikolaevich Glebov (39), both Russian nationals, were arrested.
* **Associated Groups/Aliases:** Operates as an affiliate organization utilizing the Phobos ransomware strain. Known operational names include **8Base** and **Affiliate 2803**.
* **Known Associations:** The group is connected to Phobos administrators; one alleged administrator, Evgenii Ptitsyn (Russian national), was previously arrested and extradited in November.
## Activity Summary
* The group is responsible for deploying the **Phobos ransomware** strain, allegedly infecting more than 1,000 entities worldwide.
* The US Department of Justice (DOJ) unsealed criminal charges against Berezhnoy and Glebov for roles in the operation, which earned over $16 million.
* The operation was subject to a coordinated international disruption involving law enforcement across over 14 countries, resulting in the arrest of four individuals (two men, two women) in Phuket, Thailand (Operation “PHOBOS AETOR”), and the technical disruption of over 100 servers used in the scheme.
* The 8Base leak site was replaced with a law enforcement splash page.
* In some cases, the group used a social media account on X to broadcast attacks and further extort victims.
* Prior warnings (Feb 2024) noted Phobos attacks impacting state, local, tribal, and territorial governments, including municipal/county governments, emergency services, education, and public healthcare.
## Tactics, Techniques & Procedures
* **Ransomware Deployment:** Primary method of operation involves deploying Phobos ransomware.
* **Double Extortion:** Aggressively employed double extortion tactics, threatening to publish stolen information if ransom was not paid, in addition to data encryption.
* **Affiliate Model:** Operated an affiliate structure where affiliates (like Berezhnoy and Glebov) paid fees to the main Phobos administrators for decryption keys and services.
* **Variant Development:** 8Base utilized the Phobos infrastructure (encryption and delivery mechanisms) to develop its own tailored variant of the ransomware.
* **Communication/Extortion:** Used social media accounts (X) to publicize attacks.
* **MITRE ATT&CK IDs:** Not explicitly mentioned in the text.
## Targeting
* **Sectors:** Public and private entities, including children’s hospitals, multiple healthcare providers, colleges, municipal and county governments, emergency services, education, and public healthcare entities. The actor specifically focused on "smaller businesses and organizations" lacking robust cybersecurity.
* **Geography:** Global scope, with operations and arrests spanning the US, Thailand, Italy, Germany, and involvement of French authorities.
* **Victims:** Hundreds of organizations victimized. Specific victim types include healthcare, education, and SLTT governments. Ransoms were generally smaller, often under $100,000 (one noted payment was $12,000 in Bitcoin).
## Tools & Infrastructure
* **Malware Families Used:** **Phobos ransomware** (including variants developed by affiliates like 8Base).
* **Infrastructure:** Over 100 servers used as part of the Phobos scheme were taken down by law enforcement.
* **Defanged URLs/IPs:**
* Law enforcement splash page replaced 8Base leak site: `https://therecord.media/8base-ransomware-site-taken-down-4-arrested`
* DOJ statement link: `https://www.justice.gov/opa/pr/phobos-ransomware-affiliates-arrested-coordinated-international-disruption`
* Superseding indictment link: `https://content.govdelivery.com/attachments/USDOJOPA/2025/02/10/file_attachments/3160298/Berezhnoy%20Glebov%20superseding%20indictment%20508%20%2B%20coversheet.pdf`
* Europol statement link: `https://www.europol.europa.eu/media-press/newsroom/news/key-figures-behind-phobos-and-8base-ransomware-arrested-in-international-cybercrime-crackdown?mtm_campaign=newsletter`
* Ptitsyn arrest link: `https://therecord.media/russian-national-in-custody-extradited`
* CISA Warning link: `https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a?utm_medium=email&utm_source=govdelivery`
## Implications
This coordinated international law enforcement action marks a significant blow against the Phobos ecosystem, dismantling key administrative and affiliate infrastructure and leading to the arrest of high-value targets. The focus on smaller, potentially less-defended organizations highlights the continued risk these groups pose to critical, localized public services. The dismantling of the 8Base infrastructure suggests a successful disruption of a key Phobos variant developer/user.
## Mitigations
* Organizations, especially smaller entities, public services, and healthcare providers, must enhance cybersecurity defenses capable of thwarting ransomware attacks.
* Implement robust data backup and recovery strategies to negate the impact of successful encryption.
* Be vigilant against social engineering tactics used for initial access or secondary extortion attempts (e.g., monitoring suspicious communications on platforms like X).
* Ensure prompt patching and hardening, as threat actors are leveraging established ransomware platforms like Phobos to target less-protected entities.